Author
Topic: What the hell is OpenCandy? (Read 271036 times)

-- All this testing was done on a VMWare VMTesting started on a Clean, WinXP SP3 install. I took a registry and filesystem snapshot, proceeded to install MediaCoder (Audio Edition), typical next-next-next install. It left an OpenCandy folder in the temp dir, with a DLL and a small explanation (OpenCandy_Why_Is_This_Here.txt). After a reboot, for good measure, a third filesystem snapshot showed no changes, and the DLL was still there. However, I had no problems deleting the file. I poked fun at the DLL using OllyDbg (With MediaCoder as my victim) and found that indeed, all information sent is non-personally idenfying. However, it saved stuff (session keys, product keys) in HKLM\Software\MediaCoder with criptic names, even if I didn't install anything.

It's really opt-in as far as the additional installations are concerned, but I'm not sure about the purpose of those reg entries. I could do some more poking at it with Olly, but i'd rather hear the official version.

I tried Miro too, but they now bundle the Ask toolbar (opt-out)

I like the end-user experience, but I'm not sure why the reg keys are saved, (and why aren't they clearly identified as belonging to OpenCandy)

Hope all of you are well. I'm in the middle of moving (and re-setting up my lab) right now but I'll be back tomorrow to post more information. I figured I could throw a couple of things out here now.

The FAQs I promised are finally done and are going to be posted tomorrow (what coincidence!). The FAQs include information about the registry entries. Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

Something big I want to announce... We've updated our plug-in (which all publishers are in the process of updating to/re-integrating), to version 1.3, so that OpenCandy provided files are only TEMPORARILY copied to the computer IF a recommendation is accepted and then they are deleted after the recommended software is downloaded and installed. So no more OpenCandy files will be left behind anymore! Which also means (by the very nature of not leaving OCSetupHlp.dll behind) that we have eliminated uninstall tracking for our publishers. It could take up to 4-6 weeks for everyone who participates as a publisher to update their installers with the new plug-in though (based on their release cycles, etc).

Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

That sounds a bit silly - if a piece of malware is able to scan for OC dlls, it's already on your system - what would it gain, then, by exploiting those DLLs?

I don't really like the concept - for me, no value is added, and having to skip yet another blablabla page during install is annoying. And 300kb (or however big the DLL is now) might not be a lot on my 20mbit ADSL connection, but there's plenty of people who aren't even of 256kbit.

Guess I could live with the scheme, though; it's definitely a lot less bullshit than what other applications are up to. And it's good to know that you're no longer leaving OCSetupHlp.dll behind and doing uninstall tracking... the next step is to make it very clear that data is being sent to your servers, and exactly what kind of data and why.

Anyway, I'm in the suspicious camp with Kartal and app103 on this one. You do seem like a nice guy, and the concept isn't all that bad. However, there really isn't any guarantee that the company won't go rogue... heck, if I managed to win the hearts and minds of users and got a large enough install base that I could make some hundred million bucks by snatching a little bit of usage data and sell people out... wouldn't I be tempted? As app says, there's a lot of power in being able to xref the "pretty harmless" data you're sending with other stuff. (I don't like the obfuscated registry keys, by the way).

Not saying that OpenCandy is evil or that it's going to end up being evil, but I'm not a big fan of advertisements, referrals, or capitalizing on user/usage information. Nothing wrong with making a buck, but I really don't see OC as a value-adder.

The only extra thing i want to comment on is how bizarre a situation we are in where every web site on the planet tracks every click we make, how long we stay on every given page, etc., and no one raises an eyebrow -- but yet if a "program" does it, most of us go crazy.

I have yet to read through this thread (fascinating discussion!), but I think I have what may be a good reason for making the distinction - or two. One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Not trying to defend OpenCandy since it's been so long since I read the thread but you do have a choice when it comes to websites by not visiting, signing up or sharing personal information on them. Pretty much the same thing as not downloading programs = choice. (Voting by boycott)

Also, most popular data mining sites are pretty much known from their Terms of Service and from the controversy they receive. (See Facebook articles)

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

Not really. Adware and non-browser exploits are on par just as "rigged" programs are categorized on the same level as Javascript exploits as security/virus issues.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

Still is really. Remember until docx, Word has alot of privacy issues left out in the open. That puts it on par with Google Docs.

Similarly if you have an additional layer to your data, it's still a case of the spyware being able to break/know the encryption/password and not fully on just gaining access. Also most spyware can't really compare to the dormant "swine flus" of internet viruses so most part, the choice is still yours on whether you will reformat your OS or risk permanently removing it via an anti-spyware.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Err... they kind of do. It's the modern day technological implementation of fascism.

Give me your bookmarks, pictures, private photoes, personal info for free and we'll make you easier to find your friends online or become an internet pop sensation. (the free equivalent of the modern day internet Aryan: instant fame/instant friends/instant consumerist relevance in exchange for illusionary slavery)

I’m back. Things have been hectic. Of course moving took much longer than I thought; I didn’t realize how hard it would be with the baby and doing 95% of the move myself!

Anyway…

Scancode,

Regarding the registry entries:

I misspoke (miswrote?) and should clarify that currently, per our Publisher’s Kit Integration Guide, it is only a requirement that OpenCandy related registry keys be stored within the publisher’s registry key. We don’t specifically require that they be within an OpenCandy subkey, though most publishers (MediaCoder excluded, obviously ) do put them within an OpenCandy subkey.

OpenCandy files in temp directory:

I/we owe you a big THANKS! You’ve actually discovered a bug with v1.3 of our plug-in that only affects NSIS based installers. Only the dll (OCSetupHlp.dll) should be in a user’s temp directory (when it’s unpacked by the installer) and it should be removed once the publisher’s installation is completed. This doesn’t change what I said above about when a recommendation is accepted. When that happens an OpenCandy folder containing the dll (OCSetupHlp.dll) and the text file (OpenCandy_Why_Is_This_Here.txt) are created within the publisher’s installation directory to facilitate the download and installation of the recommended software and once finished, the folder and files are automatically removed (unless one of those things listed in the OpenCandy_Why_Is_This_Here.txt happens: power goes out, etc... ).

We’re in the process of wrapping up version 1.3.1 which rectifies the issue. It'll take a bit before all our publishers have updated their builds. This bug does not affect OpenCandy publishers with Inno-based installers.

Hey y'all (yeah I said "y'all"), hope you're all having a great Wednesday!

DC<>Users is what makes DC great!

I agree, no question.

Regarding the FAQ, Whoops. FIXED! I added instructions for those publishers that currently don't use an OpenCandy subkey. See http://www.opencandy...ing-registry-entries Thanks for pointing it out and I appreciate the time you took to read through the faqs. I'm a big fan of a "second set of eyes" especially when they come from the outside looking in.

I have more great news...

Regarding changing OC registry entry location to an OC subkey as a requirement, it was in the pipeline but I wasn't sure we would be able to get it into the version 1.3.1 update (which is rolling out shortly with the NSIS bugfix). But... we did! As of v1.3.1, all ALL OpenCandy publishers are REQUIRED put OpenCandy related registry entries inside an OpenCandy subkey within the publisher's registry key.

As a sidenote, while reversing OCSETUPHLP, I found a text reference to /NOCANDY. If I pass that parameter to the installer (MediaCoderAE-0.7.1.4496), OpenCandy does not do any changes at all (no reccomendations, no external contact, no reg keys). Is that how it's supposed to work?

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.

rather than take bets -- it might be more helpful for all to say that in one year you will make a post about OpenCandy -- either praising them if they stayed true to their promise, or against them if they turned rogue.

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.

Hey guys thanks for the follow ups , I did not know that I won. On the otherhand I am not surprised about my future predictions. I have been trying to talk about certain privacy and security implications of various services and apps on these forums, I am hoping to broaden people`s perspective on these very very important issues

I will happilly donate my new income to graceful open source projects and donation coder projects.

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.

That's not an accurate assessment. They do not try to install hidden stuff and spy on your download-installation activity. What they do is not provide an opt-in model, which is quite disappointing. But they are middle of the road rather than malignant in terms of installing hidden stuff.